Two weeks after its Twitter account was compromised, the SEC has confirmed that the threat actors behind the hack were likely able to obtain control of the cell phone number associated with the SEC account through a SIM swapping attack.
Attackers use SIM swapping to transfer phone numbers to another device without authorization, allowing them to receive voice and SMS communications associated with that number and effectively enabling them to reset passwords or bypass two-factor authentication (if targets rely on texts or calls to that phone number for the second form of authentication) for various accounts.
In the incident with the SEC’s account on Jan. 9, attackers used SIM swapping to first take control of the phone number associated with the Twitter (also known as X) account and subsequently reset the account’s password. Attackers were then able to send posts from the compromised account purporting to announce the SEC’s approval of spot bitcoin exchange traded funds and interact with two posts from non-SEC accounts.
“Access to the phone number occurred via the telecom carrier, not via SEC systems,” said the SEC in a Monday statement. “SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts.”
The SEC’s multi-factor authentication protections associated with its Twitter account were also thrust into the spotlight after Twitter Safety said that its investigation found that the account did not have 2FA enabled at the time the account was compromised. On Monday, the SEC confirmed that MFA - although previously enabled on its account - had been disabled by Twitter support at the SEC staff’s request in July 2023, due to issues in accessing the account. After the access was reestablished, the SEC said that MFA remained disabled for six months until the account was compromised on Jan. 9. MFA is now enabled for all SEC social media accounts, according to the SEC.
The SEC said that law enforcement is currently investigating how the attackers got the carrier to change the SIM for the account, and how they knew what phone number was associated with the account.
Attackers are typically able to carry out SIM swapping by convincing a mobile phone provider employee (either by bribery or by posing as the victim) to swap a victim's phone number to an attacker-controlled SIM card. This would require some level of social engineering; in order to obtain a phone number, for instance, attackers may need to do some digging through available open-source information to link an account to an identifiable person, such as looking at social media managers that list their responsibilities on LinkedIn. After stealing these phone numbers, attackers can use them to reset passwords on various online accounts - including email, cloud storage and cryptocurrency exchange accounts.
SIM swapping account takeover, an attack that has been around for many years, has previously led to compromises of other high-profile Twitter accounts - including former Twitter CEO Jack Dorsey’s account in 2019. In 2019 and 2020, senators and representatives attempted to push the Federal Communications Commission (FCC) to hold wireless carriers accountable for protect consumers from this type of attack.
This latest hack, along with another hack of Mandiant’s Twitter account earlier this month, has also put a focus on MFA policies and how these protections are leveraged on Twitter’s platform. According to Twitter in a 2022 account security report, 2.6 percent of active Twitter accounts had at least one 2FA method enabled (between July 2021 to December 2021), with the majority of those users leveraging SMS-based 2FA.
The use of SMS messages for a second factor of authentication has been abused by threat actors, and entities like NIST have long encouraged consumers to move away from SMS-based 2FA and instead adopt more secure means of multi-factor authentication like hardware tokens or authentication apps.
In a letter to Deborah Jeffrey, Inspector General of the SEC, earlier in January, Sen. Ron Wyden (D-Ore.) argued that the SEC should be using “industry best practices” for MFA and cited a policy memo issued in 2022 by the Office of Management and Budget (OMB) requiring federal agencies to use “phishing-resistant MFA, including security keys” (notably, this requirement only applied to agency-hosted systems and not social media websites).
“A hack resulting in the publication of material information for investors could have significant impacts on the stability of the financial system and trust in public markets, including potential market manipulation,” according to Wyden’s letter. “We urge you to investigate the agency’s practices related to the use of MFA, and in particular, phishing-resistant MFA, to identify any remaining security gaps that must be addressed.”
The SEC said it is continuing to work with various law enforcement and federal oversight entities, including the FBI, CISA, DoJ and the Commodity Futures Trading Commission, to investigate the hack.